DP's Security Bits

Since the time Microsoft released security update MS08-067, we have released information about MS08-067 exploits and specifically about the Conficker worm in our malware encyclopedia and in multiple blog posts for example here. This blog provides a summary of the available information Microsoft has provided on the Conficker worm and the vulnerability it exploits, which Microsoft addressed with MS08-067.

First, we outline the various attack vectors because it’s important for customers to understand that the Conficker worm utilizes a variety of attack vectors to infect machines. Based on this analysis we follow up with guidance for what customers can do to protect themselves. The first and most important piece of guidance is to immediately deploy the security update associated with Microsoft Security Bulletin MS08-067, if you haven’t already. However, because this worm utilizes a number of additional vectors of attack we provide additional information and guidance to help you build a defense in depth approach. Finally, we close with information and pointers to how to clean up your machine using the Microsoft Malicious Software Removal Tool.

Let’s examine again the ways this worm spreads. So far, only two variants of the worm have been discovered in the wild. The first one, Worm:Win32/Conficker.A, was first reported Nov. 21, 2008 and propagates only by exploiting the vulnerability addressed by security update MS08-067. This variant avoids infecting computers that use Ukrainian keyboard layout and that raised the suspicion that the malware developer is located in Ukraine. Worm:Win32/Conficker.B, the second variant, was reported Dec. 29, 2008. This variant uses multiple propagation methods:

http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx